Amendments to the Claims 



1. (currently amended) A computing system including a processor for 
processing requests comprising : 

a pluggable security policy enforcement module configured to be 
replaceable in the computing system and to provide different granularities of 
security control for a business logic module in the computing system, wherein the 
business logic module processes requests submitted to the computing system, 
wherein the business logic module contains problem- solving logic that produces 
solutions for a particular problem domain, 

wherein the pluggable security pohcy enforcement module is configured to 
determine, for a particular granularity of control, whether to permit an the business 
logic module to perform an operation based on the particular business logic 
operation[ [,]] requested by a use r, and based at least in part on a permission 
assigned to the user, aed-wherein the business logic module employs interaction- 
based definitions in which a component which performs the business logic 
operation is defined by a series of request-response interaction definitions that can 
be satisfied to perform the business logic operation, 

and wherein the different granularities of control comprise a plurality of 
sets of rules^ that can be replaced with each other without altering the business 
logic module. 

2. (canceled). 

3. (canceled). 
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4. (currently amended) A system comprising; 
a processor for processing requests: 

a an independent pluggable security policy enforcement module configured 
to be replaceable in the system and to provide different granularities of security 
control for a business logic module included in the system, wherein the business 
logic module processes requests submitted to the system for processing , wherein 
the business logic module contains problem-solving logic that produces solutions 
for a particular problem domain, and wherein the business logic module employs 
interaction-based definitions in which a component which performs an operation 
associated with an individual request is defined by a series of request-response 
interaction definitions that can be satisfied to perform the operation, 

wherein the pluggable security policy enforcement module includes a 
control module configured to determine whether to permit esi the operation based 
at least in part on accessing the business logic module to identify one or more 
additional tests to perform, and further configured to perform the one or more 
additional tests to determine if a user is able to make the individual request based 
on the operation and an object to be operated on . 

5. (previously presented) A system as recited in claim 4, wherein the 
conti-ol module is further configured to return a result of the determining to the 
business logic module. 

6. (currently amended) A computing system including a processor 
comprising: 
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a pluggable security policy enforcement module configured to be 
independently r eplaceable in the computing system and to provide different 
granularities of control for a business logic module in the system, wherein the 
business logic module processes requests submitted to the computing system, and 
wherein the business logic module employs interaction-based definitions in which 
a component which performs an operation associated with an individual request is 
defined by a series of request-response interaction definitions that can be satisfied 
to perform the operation, 

wherein the different granularities of control comprise a plurality of sets of 
rules, and wherein each set of rules includes a plurality of permission assignment 
objects, wherein each of the permission assignment objects associates a user with 
a particular role, wherein each particular role is associated with one or more 
permissions, and wherein each of the one or more permissions identifies a 
particular operation and context on which the operation is to be performed. 

7. (currently amended) A computing system as recited in claim 6, wherein 
each of the permission assignment objects further identifies whether the one or 
more permissions in the particular role are granted to the user or denied to the 
user. 

8. (currently amended) One or more computer-readable media comprising 
computer- executable instructions that, when executed by a processor , direct a the 
processor to perform acts including: 

receiving a request to perform an operation; 



checking whether to access a business logic module in order to generate a 
result for the requested operation, wherein the business logic module contains 
problem-solving logic that produces solutions for a particular problem domain, 
and wherein the business logic module employs interaction-based definitions in 
which a component which performs an operation associated with the request is 
defined by a series of request-response interaction definitions that can be satisfied 
to perform the operation; 

obtaining, firom the business logic module, a set of zero or more additional 
tests to be performed in order to generate the result; 

performing each additional test in the set of tests if there is at least one test 
in the set of tests; 

checking a set of pluggable rules to determine the result of the requested 
operation; and 

returning, as the result, a failure indication if checking the business logic 
module or checking the set of pluggable rules indicates that the result is a failure, 
otherwise returning, as the result, a success indication. 

9. (previously presented) One or more computer-readable media as recited 
in claim 8, wherein the receiving comprises receiving, from the business logic 
module, the request to perform the operation. 

10. (original) One or more computer-readable media as recited in claim 8, 
wherein the receiving comprises receiving, as part of the request, an indication of 
a user, and wherein the checking the set of pluggable rules comprises comparing 
an object associated with the user to the rules in the set of pluggable rules and 



determining whether the operation can be performed based at least in part on 
whether the user is permitted to perform the operation. 

11. (original) One or more computer-readable media as recited in claim 8, 
wherein the receiving comprises having one of a plurality of methods invoked. 

12. (original) One or more computer-readable media as recited in claim 8, 
wherein the set of pluggable rules is a set of security rules defined using high-level 
permission concepts. 

13. (original) One or more computer-readable media as recited in claim 12, 
wherein the high-level permission concepts include an operation and a context, 
wherein the operation allows identification of an operation to be performed and 
the context allows identification of what the operation is to be performed on. 

14. (original) One or more computer-readable media as recited in claim 8, 
wherein the computer-executable instructions are implemented as an object. 

15. (original) One or more computer-readable media as recited in claim 8, 
wherein the computer- executable instructions further direct the processor to 
perform acts including: 

determining if at least one of the tests in the set of zero or more additional 
tests would indicate a result of failure; and 

returning, as the result, the failure indication without checking the set of 
pluggable rules. 
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1 6. (previously presented) One or more computer-readable media as recited 
in claim 8, wherein the set of pluggable rules can be replaced with another set of 
pluggable rules without altering the business logic module. 



17. (original) One or more computer-readable media as recited in claim 8, 
wherein the set of pluggable rules includes a plurality of permission assignment 
objects, wherein each of the permission assignment objects associates a user with 
a particular role, wherein each particular role is associated with one or more 
permissions, and wherein each of the one or more permissions identifies a 
particular operation and context on which the operation is to be performed. 

18. (original) One or more computer-readable media as recited in claim 17, 
wherein each of the permission assignment objects further identifies whether the 
one or more permissions in the particular role are granted to the user or denied to 
the user. 



19. (currently amended) A method comprising: 

providing high-level permission concepts , including context and operation. 
for security rules; 

allowing a set of security rules to be defined using the high-level 
permission concepts, wherein the set of security rules allows permissions to be 
assigned to users of an application; and 

determining, based at least in part on a permission assigned to a user, 
whether to permit an operation based on a request by the user, 
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wherein the determining further comprises determining whether to permit 
the operation requested by the user based at least in part on accessing a business 
logic module to identify one or more additional tests to perform to determine if the 
operation is permitted , and further comprising performing the one or more 
additional tests, wherein the business logic module contains problem-solving logic 
that produces solutions for a particular problem domain, and wherein the business 
logic module employs interaction-based definitions in which a component which 
performs the operation is defined by a series of request-response interaction 
definitions that can be satisfied to perform the operation. 

20. (canceled). 

21. (previously presented) A method as recited in claim 19, further 
comprising returning a result of the determining to the business logic module. 

22. (original) A method as recited in claim 19, wherein the high-level 
permission concepts include an operation and a context, wherein the operation 
allows identification of an operation to be performed and the context allows 
identification of what the operation is to be performed on. 

23. (original) A method as recited in claim 19, wherein the method is 
implemented in an object having a plurality of interfaces for requesting a 
determination as to whether to permit a plurality of operations including the 
operation requested by the user. 
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24. (original) A method as recited in claim 19, wherein the set of security 
rules includes a plurality of permission assignment objects, wherein each of the 
permission assignment objects associates a user with a particular role, wherein 
each particular role is associated with one or more permissions, and wherein each 
of the one or more permissions identifies a particular operation and context on 
which the operation is to be performed. 

25. (original) A method as recited in claim 24, wherein each of the 
permission assignment objects further identifies whether the one or more 
permissions in the particular role are granted to the user or denied to the user. 

26. (currently amended) A method comprising: 

receiving a request to perform an operation associated with business logic 
module, wherein the business logic module contains problem-solving logic that 
produces solutions for a particular problem domain, and wherein the business 
logic module employs interaction-based definitions in which a component which 
performs the operation is defined by a series of request-response interaction 
definitions that can be satisfied to perform the operation; 

accessing a set of low-level rules, wherein the low-level rules , including at 
least one of modifying, deleting, viewing, approving, or creating, are defined in 
terms of high-level concepts; 

checking whether a user requesting to perform the operation is entitled to 
perform the operation based at least in part on the set of low-level rules; and 

returning an indication of whether the operation is allowed or not allowed. 
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wherein the set of low-level rules can be replaced with another set of low- 
level rules without altering the business logic module. 

27. (previously presented) A method as recited in claim 26, wherein the 
checking further comprises checking whether the user is entitled to perform the 
operation based at least in part on accessing the business logic module to identify 
one or more additional tests to perform, and further comprising performing the one 
or more additional tests. 

28. (canceled). 

29. (previously presented) A method as recited in claim 27, fiirther 
comprising returning the indication to the business logic module. 

30. (original) A method as recited in claim 26, wherein the low-level rules 
include a plurality of permission assignment objects, wherein each of the 
permission assignment objects associates a user with a particular role, wherein 
each particular role is associated with one or more permissions, and wherein each 
of the one or more permissions identifies a particular operation and context on 
which the operation is to be performed. 

31. -34. (canceled). 

35. (currently ameneded) An architecture comprising: 

a plurality of resources including a processor to process requests : 



a business logic layer to process, based at least in part on the plurality of 
resources, requests received from a client, wherein the business logic layer 
contains problem-solving logic that produces solutions for a particular problem 
domain, and wherein the business logic layer employs interaction-based 
definitions in which a component which performs an operation corresponding to 
an individual request is defined by a series of request-response interaction 
definitions that can be satisfied to perform the operation; and 

a pluggable security policy enforcement module, separate from the business 
logic layer, to enforce security restrictions on accessing information stored at the 
plurality of resources based on the operation corresponding to the individual 
request . 



36. (currently Amended) An architecture as recited in claim 35, wherein the 
pluggable security pohcy enforcement module defines high-level permission 
concepts for security rules and further defines a set of security rules using the 
high-level permission concepts which include context and operation . 



37. (currently Amended) An architecture as recited in claim 36 , wherein the 
high - level pormiosion concepts include an operation and a context, wherein the 
operation allows identification of an operation to be performed and the context 
allows identification of what the operation is to be performed on. 



38. (original) An architecture as recited in claim 35, wherein the pluggable 
security policy enforcement module can be replaced with another pluggable 
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security policy enforcement module to enforce different security restrictions 
without altering the business logic layer. 



39. (original) An architecture as recited in claim 35, wherein the pluggable 
security policy enforcement module is configured to determine, based at least in 
part on a permission assigned to a user and on one or more additional tests 
identified by accessing the business logic layer, whether to permit an operation to 
access information at the plurality of resources. 

40. (previously presented) A system as recited in claim 1, wherein the 
system is configured as a multi-layer architecture, wherein the business logic 
module is implemented as a business logic layer of the multi-layer architecture. 

41. (previously presented) A system as recited in claim 1, wherein the 
pluggable security policy enforcement module is configured to receive an input 
from the business logic module in the form of a user indication and an item 
indication. 

42. (previously presented) A system as recited in claim 1, wherein the 
pluggable security policy module includes an interface that provides the following 
interface functionality: 

first functionality for testing whether an identified item can be approved by 
a specified user; 

second functionahty for testing whether the identified item of a specified 
type can be created by the specified user; 
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third functionality for testing whether the identified item can be deleted by 
the specified user; 

fourth functionality for testing whether the identified item can be modified 
by the specified user; and 

fifth functionality for testing whether the identified user can examine 
details of the identified item. 

43. (new) A computing system as recited in claim 1, wherein the particular 
a business logic operation is selected from the group consisting of creation, 
deletion, viewing, approval, and modification. 

44. (new) A computing system as recited in claim 1, wherein the 
determination is at least partially based on a context which allows identification of 
what object the business logic operation is to be performed on. 

45 (new) One or more computer-readable media as recited in claim 8, 
wherein the set of zero or more tests is selected from the group consisting of 
creation, deletion, viewing, approval, and modification. 

46 (new) A method as recited in claim 19, wherein the operation is selected 
from the group consisting of creation, deletion, viewing, approval, and 
modification. 
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